Scytale today launched Scytale Enterprise, the industry’s first cloud-based subscription offering that enables enterprises to use policies to authenticate cloud-based services with on-premise infrastructure in a compliant manner.
In 2016, I began meeting with Fortune 500 security leaders in Boston, Chicago, New York, San Francisco, and Washington DC, and asked them one simple question that while seemingly straightforward produced some pretty complicated answers:
“How will you authenticate your cloud services with your on-premise infrastructure?
Modern software services are more interconnected and interdependent than ever before. Moreover, as organizations begin moving these services to increasingly dynamic cloud computing platforms (think VMs, containers, serverless, functions, etc.), their services must also become more dynamic.
As organizations adopted these platforms because of the promise of increased business velocity, their authentication strategies needed to evolve, too. What many now have is a complex web of legacy identity and access management (IAM) investments and platform-specific identity providers (IdPs), coupled with costly “glue code” to support their hybrid cloud evolution. This slowed application security reviews, increased costs, and increased time-to-market for new applications.
Many would say that while compliant with existing authentication control requirements, they felt some of their bad on-premise authentication “habits” were finding their way into their cloud investments. For example, many were uncomfortable with using the same legitimately provisioned credentials across multiple cloud services … mostly for the sake of convenience. As this group observed hybrid cloud and multi-cloud aggressively coming towards them, it became clear to them that their service authentication strategy needed to evolve, too.
In 2017, we helped our community launch SPIFFE and SPIRE to give enterprise IT security engineers a more scalable, cloud-native primitive to help them more efficiently and consistently authenticate their cloud-based infrastructure. We’ve since seen uptake and early adoption from organizations like Google, Pinterest, Square, Uber, and more, as well as interest from a growing number of other OSS projects.
The aforementioned security leaders said that while SPIFFE and SPIRE are an important step in the correct direction, any new identity framework MUST co-exist with the considerable investments they had with other IdPs like Microsoft Active Directory and more. In fact, what they really wanted was a scalable, platform-agnostic way of extending Active Directory’s reach to their cloud-based services, even those running in Microsoft Azure. Whatever the solution, they all made two things very clear to me: 1) do not compromise their existing security posture; and 2) do not worsen their developers’ cloud deployment experience.